A database server stores data in one or more data containers, each container contains records, and the data within each record is organized into one or more fields. In a database system that stores data in a relational database, the data containers are referred to as tables, the records are referred to as rows, and the attributes are referred to as columns. In object oriented databases, the data containers are referred to as object classes, the records are referred to as objects, and the attributes are referred to as object attributes. Other database architectures may use other terminology.
The present invention is not limited to any particular type of data container or database architecture. However, for the purpose of explanation, the examples and the terminology used herein shall be that typically associated with relational databases. Thus, the terms “table”, “row” and “column” shall be used herein to refer respectively to the data container, record, and field.
A database server retrieves and manipulates data in response to receiving a database statement. Typically the database statement conforms to a database language, such as Structured Query Language (SQL). A database statement can specify a query operation, a data manipulation operation, or a combination thereof. A database statement that specifies a query operation is referred to herein as a query. The present invention is not limited to database statements that specify a particular type of operation. However, for the purpose of explanation, embodiments of the present invention are illustrated using queries.
One function of a database server is to control access to sensitive database data. Security mechanisms on database servers control what data may be accessed by a query issued by an end-user. A database may have much sensitive data that is regulated by law or other policy requirement. For example, such sensitive data may be customer data or employee data. Regulations may restrict access of the sensitive data to only qualified parties. A database user, such as a corporation or government entity, may need to find ways to comply with regulatory or policy requirements regarding data privacy and security. When a database user allows parties to access a database storing sensitive data, the database user must ensure that the parties, as end-users of the database, do not have access to more information than is allowed.
Some database technologies attempt to provide privacy protections for sensitive data stored in a database. For example, according to one technique, sensitive data is protected by overwriting copies of the sensitive data with random data so that an end-user may not view disallowed data. However, such an all-or-nothing “binary” approach provides the end-user with zero feedback regarding the sensitive data when the sensitive data is protected. Such overwriting of sensitive data may be performed in a “static” manner, which means the sensitive data is overwritten prior to handling queries for the sensitive data.
According to another technique, sensitive data is protected by partially modifying the sensitive data. However, an end-user will need to be aware of the specific techniques used to modify the original sensitive data to the partially modified sensitive data in order to query the partially modified sensitive data. Other techniques will add an extra predicate to a query for filtering sensitive data. These techniques lack flexibility and fine-grained access control for enhanced protection of sensitive data with maximized utility of such sensitive data.
The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.